Android Apps Fail Risk Assessment Check

Study finds 26% of Android apps available via official Google Play app store pose a potential risk to enterprise security.

Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
One-quarter of Android apps available via the official Google Play app store put users at risk by having permission to access sensitive, personal information, including emails and contact information. That finding comes from an analysis conducted by security firm Bit9 of 412,212 of the roughly 600,000 apps available via Google Play.
Overall, according to the related
report
released by Bit9, 72% of the apps studied have at least one potentially risky permission. The leading culprits in risky permissions are access to GPS data (42% of apps), phone calls or numbers (31%), contacts and email or other personal data (26%), and permissions that can lead to fraudulent phone charges (9%).
For the study, Bit9 researchers compared the specific permissions used by each app with the app type, users ratings, and the number of times the app had been downloaded, as well as the reputation of the app publisher. The researchers then used this information to qualify, on a per-app basis, which permissions were questionable or suspicious. For example, numerous wallpaper applications -- as well as games and utilities -- include as one of their allowed permissions the ability to access a users GPS location.
[ Read
Windows 8 App Developer Says Process Stinks
. ]
As that suggests, risk doesnt necessarily correlate with outright maliciousness. In the old days, of course, the chief concerns were viruses and Trojans and apps that are out to do intentional harm, but in the BYOD and mobile space, theres a new concern, which is privacy, said
Harry Sverdlove
, CTO for Bit9, speaking by phone. By privacy, hes referring not just to
consumer privacy
, but also the privacy of corporate data, because 71% of businesses allow their employees to connect their personal smartphones to corporate networks, according to a survey of 139 IT security decision makers recently conducted by Bit9. Furthermore, 78% of surveyed information security personnel think smartphone vendors dont build in sufficient security controls to their devices, and 68% said their principle concern with smartphones is information security.
Even so, only 37% of businesses have deployed anti-malware software on employee-owned devices, and only 24% of businesses can see whats running on those devices via smartphone monitoring or management tools. In other words, in most businesses, IT has no control, said Sverdlove. You might as well just put your companys email and sensitive documents out on a coffee table in a cafe somewhere, and hope nobodys looking.
Sverdlove said the gold standard in curtailing excessive app permissions currently is Apple iOS 6, because it allows users to install apps, and then decide -- whenever the OS alerts the user that an app is making a request -- whether to grant that app access to such things as the device location, photos, contacts, or other potentially sensitive information.
Google is making great strides, but in Android, thats not currently possible, said Sverdlove. Instead, if you install an Android app, youre agreeing to give it every permission that it asks for. One caveat is that some third-party utilities will curtail app access, but such utilities can only be run on rooted phones. Its an all-or-nothing game, unless you root your Android phone, and that gets really messy, said Sverdlove.
Why do Android apps request so many permissions? One possibility is developer laziness: its easier to
request every permission
that might be required, rather than to eliminate every permission that isnt required. Regardless of the cause, however,
excessive permissions
can have pernicious results because many apps dont operate alone.
The majority of apps are free, and the way developers support themselves is they bundle in third-party advertising, and thats code that developers dont have access to, theyre just bundling it in, said Sverdlove. But that gives the advertising code access to everything that the core app can access. So youre letting your friend in the door, and your friend has all of the permissions that you have now, he said.
On a related note, Californias attorney general this week announced a
crackdown on mobile apps
that lack conspicuous privacy policies that clearly state what personal information the app collects, as well as what will be done with that information. But might developers including third-party advertising code in their apps run afoul of California privacy laws, because the apps are
hooking into advertiser-run tracking networks
in ways that developers wont know?
I do think there will be some questions raised, but more likely than not it will be from a legal standpoint, and third-party advertisers held culpable, because thats legal logistics: you go after the organization with the deep pockets, said Sverdlove.
A spokesman for the California attorney generals office wasnt immediately available to detail how the state plans to enforce the privacy law when it comes to developers bundling third-party advertiser code into their apps.
What can businesses do to better secure Android smartphones? The Bit9 report suggests that businesses educate employees about what app permission requests really mean, and tell them to stay away from
third-party app markets
-- where the majority of malicious Android apps lurk. They also should monitor the apps on employee-owned devices, to try to block known bad pieces of software. In addition, Bit9 recommends blocking rooted or jailbroken devices from access corporate networks, because rooting a device can
disable built-in security protections
. Finally, it recommends whole-device encryption for Android; enabling screen locking, which means a password is required to access a device; and using remote wiping, in the event that a device containing corporate data goes missing.
Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our
Fundamentals Of User Activity Monitoring
report. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Android Apps Fail Risk Assessment Check